Over the past several years, European regulators have introduced a bevy of new regulations. These changes are aimed at updating and standardizing rules across Europe, while providing consumers with more payment options, security, and control over their financial and personal data.
For merchants, the changing regulatory landscape has created an alphabet soup of acronyms, from PSD2 to GDPR. Not surprisingly, there is a great deal of confusion over how the new regulations impact them and what, if anything, they need to do to stay compliant.
As a premier fintech institution with global reach, we’re monitoring these developments and making necessary changes to our platforms to ensure that our clients stay current.
Merchants interested in understanding more about how new regulations and payment practices impact their business may want to be aware of the following five changes.
Multi-Fee Interchange Regulations (MIF)
One of the first changes to payment regulation, MIF went into effect in 2015. The regulations set caps on the fees that card-issuing banks and networks charge -- these account for the largest share of fees merchants pay to process transactions. MIF also gives merchants the option of choosing a bundled pricing structure or paying for transaction fees à la carte.
SEPA Instant Credit Transfer (SCT Inst)
After becoming operational in late 2017, SEPA instant credit transfers are now being rolled out across Europe. Prior to SCT Inst, bank transfers could take several days and incur significant fees. With the establishment of pan-European instant payments, consumers have the option of paying for transactions with direct deposits from their banks. Braintree will share information on opportunities to take advantage of Instant Payments as they become available.
Payment Services Directive II (PSD2)
Among the most significant regulatory changes for merchants, PSD2 seeks to update payment standards for the digital age, enhancing payments security, and leveling the playing field for alternative payment providers (see my previous post on PSD2 here). Although January 13, 2018, was the official deadline for most of the directive to go into effect, two key mandates of the regulation -- Strong Consumer Authentication (SCA) and Access to Accounts/Open APIs (XS2A) -- will not be enforced until 18 months after.
General Data Protection Regulation (GDPR)
Effective May 2018, GDPR will require companies to comply with new standards for protecting EU consumer personal data (read our post about GDPR here). Companies should be ready to release details of personal information they collect to consumers who request it and subsequently delete that data upon request. This not only raises the bar on personal data protection, but also potentially means that merchants must have the systems and processes in place to satisfy such consumer requests. Braintree’s toolkit can help merchants in their overall compliance, but you’ll need to contact us if EU cardholders request details about, or deletion of, any data we are processing on our merchants' behalf.
3-D Secure 2.0 (3DS2)
Slated to go into effect in 2019, this update in security protocols will require merchants to use biometric or token-based authentication. The change, which is being primarily driven by credit card brands and associations, is ultimately a good thing for both cardholders and merchants. Not only will it likely result in more secure and simplified checkouts for consumers by eliminating the initial sign-up process, it should reduce incidents of fraud and offer merchants more protection in the event that consumers dispute legitimate charges. And through the new 3DS2 technology, the risk of compromising conversion rates should also be reduced.
Braintree is in the process of 3DS2 integration and will work with our merchants to ensure that they have the pieces in place to update their checkouts for the next generation of security. The timing will depend on region, current security status and data passed to Braintree. Merchants should be on the lookout for updates in the coming months.